Extreme Networks

Michael_Kirchne · ‎04-16-2014

Hi,

is it possible to configure "Identity Privacy" with PEAP in NAC? This is possible with Microsoft NPS and is an option in common OS like Winows or Android. The key point is that the outer method does not include the "real" username. So if anyone captures the radius traffic the username is not sent in plaintext.

As this is feature is possible with freeRadius I expect it should also be possible with NAC?

Best Regards
Michael

Tomasz · ‎03-24-2021

Hi Sam,

I just saw those lines at the end of the post are actually a white-colored hyperlink to some website, crap marketing at its finest. 😄

Cheers,

Tomasz

SamPirok · ‎03-24-2021

Hi @Lauretta, this thread is about 6 years old, you might have better luck creating a new thread to get feedback on this topic.

Michael_Kirchne · ‎04-16-2014

Hi Tyler,

thanks for your reply. The possibility to proxy the request to NPS is possible but in my common scenarios the NAC acts as RADIUS endpoint, so it would be intresting if NAC can handle this without RADIUS Proxy.

Best Regards,
Michael

TylerMarcotte · ‎04-16-2014

Michael - if you are proxying to another RADIUS server, you should be able to set it up there. I'm not sure if it's something you can do when terminating on a NAC appliance though. With that said, you have to be careful when doing that if you're planning on using rules based on username. If you have an anonymous outer-identity and are proxying to another server, then I believe we will only see that outer-identity when evaluating the rules. You can however, send back the username in the RADIUS Accept message to have it updated correctly in NAC and be able to use the rules.

Extreme Networks

Identity Privacy/Anonymous outer identities with PEAP inNAC

Identity Privacy/Anonymous outer identities with PEAP inNAC